Last updated: 08 July 2019
Organizations are increasingly adopting cloud technology and apps into their IT environments. Illustrating this fact, International Data Group (IDG) found in its 2018 Cloud Computing Survey that 73 percent of IT decision-makers (ITDMs) have already witnessed this implementation in their organizations, while 17 percent said they expected to witness such integration over the next year. These statistics make sense in light of the increasing demands for organizations to migrate to the cloud. Indeed, 38 percent of survey participants told IDG that their IT department is under increasing pressure from executive management and/or individual lines of business to migrate all apps and infrastructure to the cloud.
The Risks of Cloud App Adoption
Such fervent adoption doesn’t come without its fair share of risks, unfortunately. In 2018 Symantec found that the average enterprise used 1,516 cloud apps. This number was nearly 40 times greater than what most CIOs thought their organizations were using. Such a disparity suggests that employees are sometimes downloading cloud-based apps without proper authorization from their IT department.
Trend Micro says this lack of approval, when coupled with the growing number of cloud apps officially driven by IT through services like Office 365, is a primary growth factor for an organization’s attack surface. As the security firm explains in a blog post:
The bottom line… is a lack of IT administrator visibility over the apps being used within the organization. Even with best practices in place, IT workers can’t patch vulnerabilities in applications that they don’t know exist within the network. In this way, the attack surface for risk associated with enterprise apps is considerably large – the threat exists for almost every business across all industries.
One of the greatest of these vulnerabilities is the fact that cloud services are on the public web. (This stands in contrast to enterprise apps of yesteryear, programs which were protected within the perimeter by a whole array of security solutions.) Their login pages are completely exposed, which means any bad actor can go to the SFDC login page and carry out an attack at the access point with ease. Alternatively, they can use a phishing attack to steal employees account credentials and abuse them to steal sensitive corporate and/or customer data.
The question is: are organizations even aware of these and other risks posed by cloud apps?
Measuring Organizations’ Risk Awareness
Thales interviewed 1,050 ITDMs for its 2019 Access Management Index (AMI). This effort revealed that ITDMs largely know about the dangers discussed above. Forty-nine percent of survey respondents said that cloud apps are most at risk of digital attacks. That’s the third-highest target after unprotected infrastructure (54 percent) and web portals (50 percent). When asked to give a reason for this vulnerability, 63 percent of ITDMs said that their increasing volume makes cloud apps a prime target for digital attacks. Slightly fewer attributed this state of weakness to a lack of strong security solutions (55 percent) and inconsistent protection across the cloud (54 percent).
What’s striking is how many organizations nevertheless fail to adjust their security strategies to keep their companies secure. For instance, 62 percent of respondents said that their employers continue to operate without a CISO despite increased digital security awareness. At the same time, less than half of survey participants revealed that their organization uses biometric authentication or software tokens.
But that’s not for a lack of awareness. Indeed, 58 percent of ITDMs believe two-factor authentication to be the access management tool most likely to protect both cloud- and web-based apps. Fortunately, almost all respondents said that cloud access management for cloud applications is conducive to cloud adoption (97 percent), while 96 percent said that ineffective cloud access management can or does cause issues for their organizations.
Recognizing these viewpoints, every company should take three specific steps to better protect the cloud in today’s world. These are as follows: protect cloud apps and services at the access point with appropriate access management and authentication policies; encrypt all sensitive data at rest and in transit, securely store and manage all encryption keys. By implementing each of these three measures, companies can effectively protect their cloud-based data against digital threats.
Start developing your cloud security with more key stats from our 2019 Access Management Index.